As email becomes more secure, threat actors are expected to pivot focus towards other methods like smishing (SMS phishing) and vishing (voice phishing). Here’s why and how you can protect your people and your company.
Google’s recent announcement on enhanced email security measures for bulk senders, set to begin in February 2024 and including mandatory email authentication, simplified unsubscribe options, and a clear spam rate threshold, is the latest update in a series focused on creating a more secure and trustworthy email environment. This announcement comes on the heels of the implementation of BIMI (Brand Indicators for Message Identification), officially rolled out on May 3, 2023, allowing verified brands to display their logos in emails, thus providing an additional layer of security and authenticity. These measures aim to significantly curtail spam and phishing via email.
While the new security protections might be less effective in deterring spear-phishing or more mature email phishing operations adept at appearing legitimate, they will make mass email phishing more difficult for cybercriminals. As a result, the new protections will likely inadvertently redirect threat actors to alternative methods like smishing and vishing. These attack vectors involve sending deceptive text messages (smishing/SMS phishing) or making fraudulent phone calls (vishing/voice phishing) to trick victims into divulging sensitive information.
The Rise of Smishing and Vishing
The increasing prevalence of smishing and vishing poses a significant and sophisticated threat to a wide range of organizations. High-profile breaches like the 2022 Twilio incident, which was part of a larger (0ktapus) campaign impacting over 130 organizations, used SMS and voice phishing to obtain employee credentials. Numerous other examples could be cited across sectors including technology firms, gaming companies, financial institutions, and healthcare providers, as these instances are part of a broader increase in such attacks, with reports indicating a seven-fold rise in 2022. As email security tightens, it’s likely we’ll see an even greater prevalence of these more personal attack methods.
Cybercriminals are increasingly relying on multi-vector attacks, blending email phishing with smishing and vishing, creating a more complex threat landscape. This tactic increases the difficulty of detection and response, as it spans multiple communication channels and often plays on the psychological readiness of the victim.
Evolving Cyber Tactics
Historically, as cyber defenses have improved, threat actors have had to evolve their tactics. With the rollout of new Gmail security measures for bulk senders expected to become the new industry standard, we can anticipate a shift in threat actor behavior.
Compounding the situation is the sophisticated use of artificial intelligence across various phishing campaigns, including spear-phishing, smishing, and vishing. AI technologies are now being employed not only to create highly personalized email content but also to tailor deceptive text messages and phone calls. These advanced attacks, capable of mimicking the writing or speaking style of known contacts, represent a significant shift in tactics. This makes them challenging to distinguish from legitimate communications for both users and security software, broadening the threat landscape.
Broadening the Security Scope
Recent incidents such as the 0ktapus campaign have shown that attackers don’t hesitate to target employees broadly, leveraging exposed data for mass smishing campaigns aimed at credential harvesting. These attacks highlight that vulnerability extends beyond VIPs and executives to include any accessible individual within an organization.
Smishing and vishing leverage exposed employee phone numbers, which are easily accessible through data broker sites. These attacks are successful due to their ability to mimic trusted sources, such as using spoofed company domains or impersonating company personnel. Similarly, spear-phishing attacks exploit personal information from data brokers and sites like LinkedIn, and can target not only high-profile individuals but also their support staff, family members, and anyone else who can provide an attacker with privileged access. To proactively guard against the expected rise in spear-phishing, smishing, and vishing, security teams need to broaden their focus beyond high-value targets and minimize the availability of personal information for the larger employee population. This step is critical, complementing other security measures such as robust multi-factor authentication (MFA) and physical FIDO2 compliant tokens, to build a proactive and comprehensive defense against these evolving cyber threats.
Forward-Thinking Cybersecurity: A Call to Action
Securing exposed employee data complements the principles outlined in the NIST Cybersecurity Framework (CSF) and MITRE ATT&CK framework. The NIST CSF, with its ‘Identify’ and ‘Protect’ functions, inherently supports actions like minimizing employee data exposure to mitigate risks. The MITRE ATT&CK framework, which details various cyber threat tactics and techniques, includes a pre-attack phase focusing on reconnaissance. By minimizing public exposure of employee data, organizations disrupt potential reconnaissance efforts, addressing a crucial component of the cyber-attack lifecycle often overlooked in cybersecurity strategies. This proactive stance on data privacy is essential for enhancing organizational security.
As the cybersecurity landscape evolves, particularly with the advent of new email security measures, it’s imperative for organizations to adapt their strategies. This includes recognizing the increasing threat of smishing, vishing, and sophisticated spear-phishing attacks and the essential role that exposed PII plays in these attacks. By including the removal of exposed employee information as part of their cybersecurity defenses, organizations can proactively mitigate these risks. The integration of data privacy into cybersecurity strategies is not just a recommended practice, but a necessary step in building a resilient defense against the sophisticated cyber threats of today and tomorrow.
Interested in getting ahead of this escalating threat landscape?
Optery provides the most advanced, transparent, and efficient data broker scanning and removal service in the world. Whether for individuals or families seeking to safeguard their personal information, or businesses looking to bolster their cybersecurity posture, Optery can help.
Data sources (for graphics):